Webcurl provides an initial response within 2 hours for critical tickets with a proposed action and resolution timescale being posted within 4 working hours. Other tickets will be acknowledged within a maximum of 4 hours with a proposed action and resolution timescale being posted the same day.

Webcurl provide help-desk support via telephone, e-mail and the online portal during the hours of 9.00am to 5.00pm UK time (excluding weekends and days which are public holidays in England).

Support available to third parties

Yes

Onboarding and offboarding

Onboarding and offboarding

Getting started

Training and documentation are provided for the solution

Development work and training is provided on an ad-hoc basis and is for a set amount of days.

Additional help is provided via our support agreement and is detailed further in the support agreement.

Service documentation

Yes

Documentation formats

PDF

End-of-contract data extraction

All data will be returned to the customer via a backup of the MYSQL database the product uses.

As we use open source technology this data can be accessed freely by restoring the database to the given product.

End-of-contract process

Contract includes hosting of the portal connector and CMS platform. An initial 10 hours of support is included in the package.

Additional hours of support and consultancy work can also be added as an extra.

Using the service

Using the service

Web browser interface

Yes

Supported browsers

Internet Explorer 8

Internet Explorer 9

Internet Explorer 10+

Microsoft Edge

Firefox

Chrome

Safari 9+

Opera

Application to install

No

Designed for use on mobile devices

Yes

Differences between the mobile and desktop service

Manly layout and re-organistion of data on screens.

Accessibility standards

WCAG 2.0 AAA

Accessibility testing

We have used third party eye tracking companies to test the usability of our software.

API

No

Customisation available

Yes

Description of customisation

Look and feelfunctionalityAs we use the Open source platform Drupal most customisations and configurations can be performed using standard Drupal coding practices

Scaling

Scaling

Independence of resources

Due to our services being in the cloud we can add additional resources to a tenant as and when required.

We also monitor neighbouring tenants to ensure they are not abusing the rights to use the service.

Analytics

Analytics

Service usage metrics

Yes

Metrics types

Visitors and access to the site, last logged in etc.

Reporting types

Real-time dashboards

Reports on request

Resellers

Resellers

Supplier type

Reseller providing extra features and support

Organisation whose services are being resold

Microsoft

Staff security

Staff security

Staff security clearance

Staff screening not performed

Government security clearance

Up to Developed Vetting (DV)

Asset protection

Asset protection

Knowledge of data storage and processing locations

Yes

Data storage and processing locations

United Kingdom

User control over data storage and processing locations

Yes

Datacentre security standards

Complies with a recognised standard (for example CSA CCM version 3.0)

Penetration testing frequency

At least once a year

Penetration testing approach

In-house

Protecting data at rest

Physical access control, complying with CSA CCM v3.0

Data sanitisation process

Yes

Data sanitisation type

Explicit overwriting of storage before reallocation

Equipment disposal approach

In-house destruction process

Data importing and exporting

Data importing and exporting

Data export approach

A full backup of a MYSQL database will be provided ion demand.

Data export formats

CSV

Data import formats

CSV

Data-in-transit protection

Data-in-transit protection

Data protection between buyer and supplier networks

Private network or public sector network

TLS (version 1.2 or above)

Data protection within supplier network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience

Guaranteed availability

Webcurl agrees to provide Licensee with access to the currently published SaaS version of the Licensed Software via the Internet. During any calendar month, the Licensed Software shall be available to Licensee 99.9% of the time via the Internet except for:(i) the time during which the Licensed Software is unavailable so that Webcurl or the hosting provider can perform maintenance for security and system integrity purposes and provide Upgrades, also known as "Planned Maintenance Downtime";(ii) downtime caused by circumstances beyond Webcurl’s control, including without limitation, acts of God, acts of government, flood, fire, earthquakes, acts of terror, war, third party strikes and other labor problems, or other events of force majeure;

iii) general Internet outages, failure of Licensee's infrastructure or connectivity, computer and telecommunications failures and delays not within Webcurl’s control; and

(iv) network intrusions or denial-of-service attacks.

n the event that Webcurl fails to maintain the foregoing availability of the Licensed Software during any calendar month of the subscription, Licensee's sole and exclusive remedy shall be to request a service credit in the following percentages ofthe prorated monthly fees 99.9%, but greater than 99.5% 10%;99.5%, but greater than 99.0%25%; 99.0%, a service credit of 50%.

Operational security

All our change management is handled by the software repository GIT. this provides us with documented evidence of when changes were processed and who completed the change.

All changes are run through standard security tests before being deployed in a live environment.

Vulnerability management type

Supplier-defined controls

Vulnerability management approach

Threats to our system are assessed by our security team.

As we are extending third party software we are reliant to some degree of them notifying us of issues. the Open Source community is very good at releasing security updates, usual weekly, and these are applied automatically to our solutions.

Protective monitoring type

Supplier-defined controls

Protective monitoring approach

We actively monitor and are notified of any security issues from all the technology vendors we have in our stack.

Incident management type

Supplier-defined controls

Incident management approach

All security incident resolution is fully documented and actioned immediately.

Users can report incidents via the help desk portal and these will be reviewed and categorised accordingly.

Reports are available via our portal on all incidents past and present.